Table of Contents
Advertisement
S9700 Core Routing Switch
Configuration Guide - SPU
l
2.15.3 Example for Configuring the Blacklist
This example shows the application of the blacklist on a network. By using a blacklist, the
SPU can prevent the attacks initiated from certain IP addresses.
Networking Requirements
As shown in
security, and Eth-Trunk1.2 is connected to the external network with low security.
The SPU needs to apply IP address sweeping defense and blacklist policies to the packets sent
from the Internet to the enterprise intranet. If the SPU finds that an IP address attacks the
enterprise intranet through IP address sweeping, it adds the IP address to the blacklist. The
maximum session rate is 5000 pps, and the blacklist timeout is 30 minutes.
When the SPU detects that IP address 202.39.1.2 attacks the enterprise intranet multiple times,
you can add the IP address to the blacklist manually. Then the IP address will always be in the
blacklist.
The SPU is installed in slot 5 of the S9700. The flows on the S9700 need to be imported to the
SPU through GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2.
Issue 01 (2012-03-15)
Configuration file of the S9700
#
vlan batch 10 20
#
interface GigabitEthernet1/0/10
port link-type access
port default vlan 10
#
interface GigabitEthernet1/0/11
port link-type trunk
port trunk allow-pass vlan 20
#
interface Eth-Trunk 0
port link-type trunk
port trunk allow-pass vlan 10 20
#
interface
XGigabitEthernet 5/0/0
Eth-Trunk 0
#
interface
XGigabitEthernet 5/0/1
Eth-Trunk 0
#
return
Figure
2-4, Eth-Trunk1.1 of the SPU is connected to an internal network with high
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Firewall Configuration
75
Advertisement
Table of Contents
